Refactor HTML sanitization: replace DOMPurify with sanitize-html for improved security and maintainability

Fixes serverless Vercel support issue/crash

Signed-off-by: Shahm Najeeb <Shahm_Najeeb@outlook.com>

Author: DefinetlyNotAI

README.md

@@ -23,7 +23,7 @@ documentation.
 - No credentials exposed to client
 - Rate limiting on all endpoints
 - Comprehensive security headers
-- HTML sanitization with DOMPurify
+- HTML sanitization with sanitize-html
 - CSRF protection for state changes
 
 ## Quick Start
@@ -196,7 +196,7 @@ npm start
 - **Framework**: Next.js 16 (App Router)
 - **Authentication**: bcryptjs + JWT
 - **IMAP**: node-imap + mailparser
-- **Sanitization**: isomorphic-dompurify
+- **Sanitization**: sanitize-html
 - **UI**: React + Tailwind CSS + shadcn/ui
 - **TypeScript**: Full type safety
 

SECURITY.md

@@ -31,7 +31,7 @@ It provides **read-only** access to IMAP mailboxes through a secure web interfac
 
 ### Content Security
 
-- **HTML sanitization** - All email HTML sanitized with DOMPurify before display
+- **HTML sanitization** - All email HTML sanitized with sanitize-html before display
 - **Allowed HTML tags whitelist** - Only safe formatting tags permitted
 - **Content Security Policy** - Strict CSP headers on all responses
 - **XSS protection** - Multiple layers prevent cross-site scripting

lib/imap-service.ts

@@ -13,7 +13,7 @@
 import Imap from "imap"
 import {simpleParser} from "mailparser"
 import {getAccountById} from "./imap-config"
-import DOMPurify from "isomorphic-dompurify"
+import sanitizeHtml from "sanitize-html"
 import {EmailCount, EmailDetail, EmailFolder, GetAttachmentParams, GetEmailParams, ListEmailsParams} from "@/types";
 import {FolderSettings, ImapSettings} from "./settings"
 
@@ -336,8 +336,8 @@ export async function getEmail(params: GetEmailParams): Promise<EmailDetail | nu
                         if (attributes && parsed) {
                             // Sanitize HTML to prevent XSS
                             const sanitizedHtml = parsed.html
-                                ? DOMPurify.sanitize(parsed.html, {
-                                    ALLOWED_TAGS: [
+                                ? sanitizeHtml(parsed.html, {
+                                    allowedTags: [
                                         "p",
                                         "br",
                                         "strong",
@@ -357,7 +357,17 @@ export async function getEmail(params: GetEmailParams): Promise<EmailDetail | nu
                                         "tr",
                                         "td",
                                         "th",
+                                        "tbody",
+                                        "thead",
+                                        "span",
+                                        "div",
+                                        "img",
                                     ],
+                                    allowedAttributes: {
+                                        'a': ['href', 'name', 'target'],
+                                        'img': ['src', 'alt', 'title', 'width', 'height'],
+                                    },
+                                    allowedSchemes: ['http', 'https', 'mailto'],
                                 })
                                 : undefined
 

lib/settings.ts

@@ -291,7 +291,7 @@ export const EmailDisplaySettings = {
      * - Users can manually toggle between views if both exist
      *
      * Considerations:
-     * - HTML: Better visual experience, potential XSS risks (mitigated by DOMPurify)
+     * - HTML: Better visual experience, potential XSS risks (mitigated by sanitize-html)
      * - Text: Faster rendering, better for accessibility, more private
      */
     defaultView: 'html' as 'html' | 'text',